Contextuality offers device-independent security 
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The discovery of quantum key distribution by Bennett and Brassard (BB84) bases on the funda- 
mental quantum feature: incompatibility of measurements of quantum non-commuting observables. 
In 1991 Ekert showed that cryptographic key can be generated at a distance with help of entangled 
(correlated) quantum particles. Recently Barrett, Hardy and Kent showed that the non-locality 
used by Ekert is itself a good resource of cryptographic key even beyond quantum mechanics. Their 
result paved the way to new generation of quantum cryptographic protocols - secure even if the 
devices are built by the very eavesdropper. However, there is a question, which is fundamental from 
both practical and philosophical point of view: does Nature offer security on operational level based 
on the original concept behind quantum cryptography - that information gain about one observable 
must cause disturbance to another, incompatible one? 

Here we resolve this problem by using another striking feature of quantum world - contextuality. It 
is a strong version of incompatibility manifested in the famous Kochen-Specker paradox. The crucial 
concept is the use of a new class of families of bipartite probability distributions which locally exhibit 
the Kochen-Specker paradox conditions and, in addition, exhibit perfect correlations. We show that 
if two persons share systems described by such a family then they can extract secure key, even if 
they do not trust the devices which produce the statistics. This is the first operational protocol 
that directly implements the fundamental feature of Nature: the information gain vs. disturbance 
trade-off. 

For sake of proof we exhibit a new Bell's inequality which is interesting in itself. The security is 
proved not by exploiting strong violation of the inequality by quantum mechanics (as one usually 
proceeds), but rather by arguing, that quantum mechanics cannot violate it too much. 



While quantum mechanics has been well established 
basis for modern technology for years, recently we faced 
completely new possibilities which quantum mechanics 
offers for processing of information. One of the land- 
marks is the quantum cryptography P, 01 , which allows 
to obtain secure cryptographic key. The first quantum 
protocol for key distribution was given by Bennett and 
Brassard in 1984 0|, and it bases on fundamental quan- 
tum mechanical trade-off between information gain and 
disturbance. Couple years later Ekert proposed a new 
idea for quantum cryptography based on peculiar quan- 
tum correlations which may be shared by distant parti- 
cles called entanglement Q. 

The seminal paper by Ekert carried actually two quite 
different concepts: (i) that quantum nonlocality can be 
responsible for secure key and (ii) that the information 
gain vs. disturbance trade-off of BB84 can be expressed 
in terms of entanglement. The latter idea, clarified by 
Bennett, Brassard and Mermin (BBM) Q quite quickly 
turned out to be crucial for the field of quantum cryp- 
tography. In contrast, the first concept has become fash- 
ionable only much later: after pioneering paper by Bar- 
rett, Hardy and Kent Q it became a boost for a new 
generation of cryptographic protocols - those ex- 

ploiting solely the resource of non-locality, without re- 
ferring to quantum mechanics at all. The protocols of 
the new generation are now of central interest, as they 
may become crucial for the modern technology. Indeed, 



they pave the way to device-independent cryptography 
(i.e. when the devices for producing secret key may be 
produced by the very eavesdropper |6l4ll|). There are es- 
sentially two approaches to device-independent security: 
either one assumes solely no-signaling, or one assumes 
validity of quantum mechanics. In either case, devices 
are not trusted, and security is verified solely through 
the statistics of the measurement outcomes. 

Remarkably, BB84 as well as its entanglement based 
version BBM have never received a device-independent 
extension. A fundamental question arises: can the phe- 
nomenon of information gain vs. disturbance trade-off 
be used to run device-independent cryptography? At the 
first sight it could seem that the situation is hopeless: as 
we will see below, there is a serious obstacle to make the 
BB84 protocol device-independent. One could therefore 
think, that the main concept behind BB84 - the above 
mentioned trade-off - cannot be put to work without com- 
plete specification of the quantum device. 

In this paper we argue that the obstacle can be over- 
come, by use of BBM protocol, a version which was ini- 
tially thought to be formally equivalent to BB84. The 
main resource that allows to make the trade-off opera- 
tional, and use it for cryptography is contextuality (47| . 
It is manifested by the famous Kochen Specker paradox 
[T^ , which received recently much attention being de- 
veloped both theoretically |13l - [l7| and tested experimen- 
tally [l8l - [23| . However, it should be noted, that all those 
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experiments require some additional assumptions, which 
cannot be operationally verified (see [13 )• We shall re- 
fer to most popular version of KS paradox - the Peres- 
Mermin one (24. [25| (see Fig. [T|). However the present 
approach seems to be quite general and suitable for other 
variants of the paradox. 

Since our result takes as a starting point the BBM 
protocol, it carries out the whole philosophy behind BB84 
with one important difference. Namely, in the proposed 
protocol Alice makes measurement on a system which 
will never be in hands of Eve afterwards. This feature 
is crucial, if we want to have operational scheme, i.e. 
the device-independent one. Indeed, suppose that Alice 
measures a system which then goes into Eve's hands. 
Then the system may simply carry the information which 
measurement of Alice was performed (48| . 

Our protocol is instead based on pairs of systems, one 
kept by Alice and one sent to Bob. This prevents from 
imprinting the information "which measurement" into 
the system to which Eve has access. Therefore, the pro- 
posed protocol is as close as possible to BB84, but not 
more. 

Let us emphasize, that although our goal is to obtain 
security without direct referring to non-locality itself, our 
protocol must somehow involve non-locality. Indeed if, 
conversely, there existed some hidden variables. Eve can 
possess them, hence knowing everything about Alice and 
Bob systems. And in fact, there is a deep connection 
between Kochen-Specker paradox and Bell inequalities: 
contextuality being a heart of the KS-paradox translates 
into non-locality manifested by violation of Bell inequali- 
ties (see e.g. |26l - t28| ). Interestingly, in our proof, instead 
of using directly the fact, that there is strong non-locality, 
we shall rather argue the opposite - that the system of- 
fers security, because quantum mechanics cannot allow 
for certain too-strong non-locality. 

As a by-product we obtain a new (to our knowledge) 
Bell's inequality, having peculiar properties. Namely, a 
recently introduced new principle information causality 
[2^ allows to violate it up to maximal algebraic bound, 
while quantum mechanics does not. The inequality may 
thus play important role in studying the fundamental 
question to what extent information causality reproduces 
quantum mechanical limitations of Nature. 

The essential features of BB84 .- Let us briefly re- 
call the BBM version of BB84 (in Lo-Chau-Ardehah style 
[soj). Alice and Bob share many pairs in maximally en- 
tangled state. They select a random sample for testing 
purposes. On this sample, Alice and Bob measure on 
their particles at random one of two non-commuting ob- 
servables and cr^. In case the particles are photons, 
the observables may be taken horizontal vs. vertical po- 
larization and 45° vs. 135° polarization respectively. If 
the choices of Alice and Bob agree, the outputs should 
be correlated if the state is indeed maximally entangled. 
In presence of Eavesdropper or noise, the state may not 
be exactly maximally entangled anymore, and therefore 
Alice and Bob observe some error rate (correlations are 



not perfect). If the error rate is too large, they abort 
the protocol. If not, they measure cr^ on the remaining 
pairs. The outcomes of the latter measurement are called 
raw key. If the error were zero, then they would consti- 
tute perfect key, while if the error is nonzero, but not too 
large, Alice and Bob can apply procedures called error 
correction and privacy amplification to obtain (asymp- 
totically) perfect key from the raw key. 

Thus the main idea behind is that Alice and Bob check 
if they have correlations, and any Eavesdropper must de- 
stroy the correlations, in order to gain knowledge. Let us 
emphasize: we do not say here about special "non-local" 
correlations but just standard correlations meaning that 
outcome of Alice's measurement is the same as outcome 
of Bob's measurement. Eve must introduce disturbance, 
because the correlations are observed for outcomes of 
noncommuting observables - the ones that cannot be si- 
multaneously measured. This suggests that in our oper- 
ational analogue we should use Kochen-Specker paradox, 
which is a manifestation of impossibility to measure some 
observables jointly. 

We shall consider a notion of a "box" [3l| - a family 
of probability distributions. The box has finite number 
of inputs and for given input, it returns output, whose 
statistics is described by respective probability distribu- 
tion. The inputs are simply observables. Our box will 
respect quantum theory, i.e. it will be physically realiz- 
able. On the other hand, since the number of probability 
distributions is finite, it can be tested statistically, with- 
out any knowledge of how the device was built. 

For the purpose of our protocol, we shall propose a 
Kochen-Specker bipartite box, which will exhibit the fol- 
lowing features: on one hand the local outcomes will sat- 
isfy KS constraints, which implies that they have to come 
from observables that cannot be measured jointly, and on 
the other hand if the same observable is measured by Al- 
ice and Bob, the results are perfectly correlated (see j32| 
in this context). We shall then prove, that such a box 
provides about half bit of secrecy. Then we will consider 
a noisy version of the box. 

Peres- Mermin version of the Kochen Specker 
paradox .- We shall use the Peres-Mermin version of 
KS paradox [2^ . [25| . The quantum observables and the 
KS conditions are depicted on Fig. [TJ The Peres-Mermin 
box (PM box) is the set of 6 joint probability distribu- 
tions. Namely, the box has nine observables (inputs) 
Xij, i,j S {1, 3} in 3 X 3 array, and in any given row 
(column) the binary observables can be measured at the 
same time. The box is therefore a family of six prob- 
ability distributions, (3 rows and 3 columns) and each 
distribution is a joint distribution of three observables. 
We demand that the outputs satisfy the following condi- 
tion: 

• [KS condition] The 6 joint distributions satisfy con- 
straints, coming from Kochen-Specker type para- 
dox: measuring the rows and two leftmost columns, 
one always get even number of +l's, while the last 
column has always odd number of +l's. 
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FIG. 1: Peres-Mermin version of Kochen-Specker paradox. 
We have 9 observables Xi arranged into 3x3 array. If one 
chooses the observables as in (b) - where we have two two- 
level systems and ct'^^'s are Pauli matrices on i-th system - 
quantum mechanics allows for joint measurement only of ob- 
servables in a chosen row or a chosen column. One can ask 
whether some better theory could reproduce quantum me- 
chanical predictions, allowing however to predict outcomes of 
all nine observables at the same time. This was the subject of 
the famous Einstein-Bohr controversy. The Kochen-Specker 
paradox says that it is impossible. Namely, quantum mechan- 
ics predicts that along solid lines, the outcomes, if multiplied 
give with certainty 1, while on the dashed line they give -1. 
Thus, supposing that these nine observables have some preex- 
isting values, which are merely revealed by measurement, we 
would obtain different value of the product of all nine of them, 
if multiply them in different order, which is a contradiction. 
So if one insists on ascribing some definite values to observ- 
ables, the value of at least one of them would need to depend 
on whether the given observable is measured within row or 
within column, i.e. on the context. Thus only contextual val- 
ues can be ascribed. Recently, Kochen-Specker paradox was 
expressed in terms of inequalities [l5l | which paved the way to 
experimental verification of contextuality. The latter, how- 
ever, is still not fully operational and needs some additional 
assumptions. 



In the following we shall consider a distributed version 
of the above box. 

Ideal distributed PM box and intrinsic 
randomness.- We define a distributed Peres-Mermin 
box, shared by Alice and Bob as follows. Both Alice 
and Bob have Peres-Mermin array of observables, which 
locally satisfy the above mentioned conditions (KS and 
compatibility ones). Alice measures columns of the ar- 
ray, while Bob measures rows. This, in particular as- 
sures, that e.g. at Alice's site each observable from the 
array is measured in a fixed context, unlike in original 
KS paradox, where there is only one laboratory, and 
observables have to be measured in two different con- 
texts. The same holds for Bob's site. In addition we 
assume AB-correlations, i.e. that there are perfect corre- 
lations between the outcomes of the same observables on 
Alice and Bob side. Also, we consider a non-signaling, 
meaning, that Alice's local distributions do not depend 
on the choice of measurement by Bob. The no-signaling 
condition allows to say meaningfully about Alice's and 
Bob's local distributions (i.e. allow for existence of sub- 
systems). Let us emphasize, that the distributed version 
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FIG. 2: The distributed Peres-Mermin box. Solid or dotted 
line means that there is an even number of — I's while dashed 
line - odd number of —I's. 



of Peres-Mermin box exhibit necessarily non-locality (as 
is actually true for distributed version of any KS para- 
dox see e.g. [13 )■ Indeed, in distributed scenario non- 
contextuality translates into non-locality, which in turn 
is a necessary condition for security. 

Formally, distributed PM box is a family of 9 condi- 
tional distributions P(a, b|A, B) Here A — 1,2,3 runs 
over columns of PM array, B = 1,2,3 runs over rows of 
the array, and a {a.ia2CLz) and b — (5162^3) denote 
triples of outcomes. As said, the family has to satisfy the 
following conditions: 

• [KS condition] For = 1, 2 and S = 1, 2, 3 the 

product of outcomes is 1, i.e. a e {+ + +, 

+ , — \ — , h}, and the same for b. For yl = 3 

the outcomes with nonzero probability multiply up 

to -1, so that a e { ,- + +,+ -+, + + -} 

in this case. 



• [AB correlations] For A 
a,; = 6,-. 



i and B = j we have 



• ]no-signaling] The marginal probability P(a|^, B) 
does not depend on B and similarly for P{h\A,B) 
does not depend on A. 

Further we shall use a different notation, depicted on Fig. 

m 

Intrinsic randomness from ideal distributed PM 
box.- We shall now assume that a distributed PM box 
comes from quantum mechanics, but we do not know how 
it is implemented (i.e. what observables are measured, 
and in which quantum state) . We are thus in a paradigm 
of device-independent security (T]| which assumes validity 
of quantum mechanics. Under such assumption we shall 
show that the outcomes of a fixed row/column (for def- 
initeness take first row of Bob's system) possess about 
0.44 bits of intrinsic randomness (hence they offer se- 
curity). Consider first a simpler problem, namely let 
us prove, that on Bob's side, the outcomes of first row 
and first column cannot be all deterministic, i.e. their 
marginal probabilities cannot be all or 1). Suppose, 
conversely, that they are all deterministic. Without loss 
of generality, we can assume that all the involved observ- 
ables {B[,Bi,B'{, B2, ) have value Due to perfect 
correlations the corresponding A's are also set to 
Exploiting now AB-correlations and KS-condition, one 
obtains super-strong correlations for the following four 
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FIG. 3: Deterministic values for first Bob's row lead to a 
system of perfect correlations and anticorrelations violating 
maximally a Bell inequality. Solid or dotted line means that 
there is an even number of — I's while dashed line - odd num- 
ber of —I's. 



outcomes: a = A2,a' = A'^,b = B2,b' = B^. Namely, 
pairs (a&), {ah'), (a'b) are perfectly correlated, while {a'b') 
is perfectly anti-correlated. Such correlations would vio- 
late the CHSH inequality [H 



\{ab) + {ab') + (a'b) - {a'b') \ < 2 



(1) 



up to 4, while it is well known that quantum mechanics, 
due to Tsirelson bound |33| allows only for 2\/2. 

Let us now show that also the first row itself cannot 
have deterministic values at Bob's side. Assuming now 
that the values in the row are all -1-1, and exploiting KS- 
condition and AB-correlations, we shall now obtain a sys- 
tem of correlations. Note, that due to KS condition, we 
have = B1B2, and B'^ = B[B2. (We cannot say 
that same about A's because they are not measured in 
rows). Now, values -t-1 in first row imply, that in addition 
to perfect correlations for pairs {Ai,Bi) with i ~ 1,2,3, 
we have also perfect correlations for pairs {Ai,B[) and 
(A2,i?2) and perfect anti-correlations for (^3,53). The 
whole reasoning is depicted on Fig. [3] This means that 
they violate the following Bell inequality 



7(A : B) = {A,Bi) + {A2B2) + {A3B3) 
+{MB[) + {A^B'^) - (AsBi,) < 4 



(2) 



(where ^3 = B1B2, B'^ = B'^B'2) up to 6, i.e. the corre- 
lations again reach the absolute, algebraic bound. Now, 
one can show that this is impossible from quantum me- 
chanics. Namely, it was shown in (35| we know, that in 
quantum mechanical correlations cannot allow to win a 
so-called "pseudo-telepathy" game [i^ which cannot be 
won within a classical theory, if the game involves no 



more than two observables on one of the sites. In our 
case, since BiS can be jointly measured, they can be re- 
garded as a single observable with four outcomes (same 
for B'j). Thus we have two observables on Bob's site, 
and one can show that so extremal violation of the above 
Bell inequality actually means winning a certain pseudo- 
telepathy game. We shall not describe it in a full detail 
here, because we intend to provide a quantitative upper 
bound for quantum mechanical violation of the inequal- 
ity. However, already at this point, we can notice that 
while usually, to prove device-independent security one 
was looking for a large violation, in our case, we have 
to do the converse job, and rather show that some Bell's 
cannot he violated too strongly by quantum mechanics. 

So far we have argued, that the values in first row 
cannot be deterministic. However, in order to use it for 
cryptography, we need some quantitative statements. 

Let us thus first relate the degree of violation of the 
inequality and the constraints on probability distribution 
of the first row. To this end we shall use an equivalent 
inequality expressed in terms of probabilities rather than 
correlations: 

P{A : B) = p{Ai = Bi) + p{A2 = B2) + ^(As = B3) 
+p(Ai = B[)+p{A2 = B'2) +p{A^ ^ B'^) < 5. (3) 

One finds that I3{A : B) = (7(A : B) + 6)/2. Let p, = 
p{i\+) be probability that bu ~ +1, i.e. it is marginal 
probability of obtaining -fl for a given outcome from 
the first row on Bob's site. Then by using elementary 
inequality p{C D D) > p{C) +p{D) — 1 for any events C 
and D, and exploiting AB-correlations and KS-condition 
we obtain that 



f3{A:B) =pi+P2+P3 + 3. 



(4) 



Suppose now we have the following bound for quantum 
mechanical violation of inequality ([3]): f3{A : B) < f3o < 
6. We obtain 



Pi + P2 + P3 < /3o - 3 



(5) 



i.e. not all of pi can be 1. In a similar way, employing 
three other possibilities of assigning deterministic values 

to the Bob's first row (H , — I — and h) one 

obtains 



Pi + (1 - P2) + (1 - P3) < /So - 3 
(1-Pi)+P2 + (1-P3) </3o-3 
(1-Pi) + (1-P2)+P3 </3o-3 



(6) 



Let us now consider joint probability distributions for 
the outcomes of the first row on Bob's site go = q{+ + 
+), 91 = 9(H ), 92 = q{- + -), qs = q{ h), with 
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(/o + 91 + 92 + 93 = 1 • One gets the following relation 
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Then the constraints ([B]) imply 

9.<^(/?o-4) = i(7o-2) (8) 

for i ~ 0,1,2,3. We have obtained numerically 70 = 
5.6364, which gives 

q, < X. (9) 

with X < 0.9091. Let us note here is easy to see that 
X > 1/2, as this value would correspond to /3q = 5, clearly 
achievable even within classical theory. Finally note, that 
due to AB-correlations, we have the same bounds for 
probabilities in Alice's first row. 

Secure key from ideal box.- Suppose that Alice and 
Bob share a bipartite box Rab (which they can verify by 
testing samples). This box may be decomposable into 
some other boxes, 

Rab=J2i-^ab (10) 

e 

(where we deliberately label boxes by e, as it will be Eve, 
who knows which box R^b actually realized) . The de- 
composition ((TU)) arises as follows: Eve creates a joint 
box Rabe, and hands the part Rab to Alice and Bob. 
When they announce their choices of measurements. Eve 
measures her part, and we do not specify her inputs and 
outputs (the latter denoted by e), so that her power is to 
split the Alice and Bob box Rab hito arbitrary ensem- 
ble {qe^R^g} which satisfies J^el^^AB ~ Rab- This 
power is analogous to the situation in quantum mechan- 
ics, where we hand to Eve the purification of the Alice 
and Bob state, which means that Eve controls the whole 
Universe, except of Alice's and Bob's labs. That this is 
the only thing which Eve can do, follows from impossi- 
bility of signaling from Eve to Alice and Bob (see |10|). 

Now, let the box Rab be a bipartite Peres-Mermin 
box. Then the boxes Rab must be bipartite Peres- 
Mermin ones, too. This is because the conditions deter- 
mining bipartite PM boxes (i.e. KS condition and AB- 
correlations) are formulated as ascribing certain proba- 
bilities value 0, while no-signaling is a principle assumed 
to be always true (as we shall eventually use quantum me- 
chanics which obviously obeys no-signaling). Thus Eve 
can only decompose the box R again into distributed 
PM-boxes. 

Suppose now Alice and Bob share n boxes. They se- 
lect a sample to verify, that they share distributed PM 



box. In verification procedure, Alice measures at random 
columns, while Bob measures at random rows. From the 
rest of boxes they would like to draw key. We have shown, 
that Eve cannot know the first row exactly, while Alice 
and Bob are correlated. So Alice and Bob should both 
measure first row, and thanks to AB-correlations, would 
obtain key. However if Alice would measure row, she has 
to use a different setup of the device, than she used when 
measuring columns. Since our protocol is to be device- 
independent, we have to assume, that the device can be 
malicious. In particular, when Alice wants to measure 
rows, she may in fact measure some completely differ- 
ent observables than when she measured columns. And 
Eve can know the outcomes of those new observables per- 
fectly. 

However, since we already know, that outcomes of 
Bob's first row are relatively secure, it is enough that 
Alice measures also the first row provided, that the out- 
comes are perfectly correlated with the Bob's row, which 
now we assume. 

This suggests the following protocol. Alice and Bob 
share n pairs of particles. They select two samples. On 
the first sample, they measure at random columns and 
rows, respectively. This allows to verify that they indeed 
share a distributed PM box. On the second sample Alice 
and Bob measure just the first row, and verify whether 
their outcomes are correlated. On the rest of pairs Alice 
and Bob measure also the first row, and the outcomes 
constitute a so called raw key. Then they apply standard 
procedures of error correction and privacy amplification, 
to obtain shorter, but secure key. More precisely: in the 
case of ideal PM box, error correction is not needed (as 
the outcomes of Alice and Bob are by perfectly corre- 
lated) and only privacy amplification will be performed. 
The error correction is be needed in the noisy case, which 
we will further describe. 

To estimate the amount of obtained secure key, we shall 
now analyse the triple of random variables {A,B,E). 
The A and B are variables describing the first row of 
Alice and Bob respectively, and E is the variable of Eve 
describing the choice of ensemble (|10p i.e. E ~ e with 
probability q^. Now we can use the well known Csiszar- 
Korner formula 

K>I{A:B)-I{A:E) (11) 

which provides a lower bound for the rate K of secure 
key [la, [131 where I{A : B) denotes Shannon mutual 
information of the joint probability distribution of Al- 
ice's and Bob's first row, and I{A : E) denotes mu- 
tual information of joint probability distribution of Al- 
ice's row and output of Eve's measurement. The formula 
rewrite the expression by means of conditional entropies: 
H{A\E) - H{A\B). Since Alice and Bob are perfectly 
correlated, H{A\B) = 0. However Eve will split the box 
into an ensemble, any member of ensemble is PM box has 
to satisfy the bound One easily find, that the distri- 
bution of smallest entropy, which satisfies the bound is 
(x, 1 - a;,0,0). Thus H{A\E) > 0.439, and this rate of 
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secure key can be obtained. 

The considered ideal distributed PM box corresponds 
to the situation, where there is no disturbance (perfect 
correlations between Alice and Bob) . We see that in this 
case, Eve can gain some knowledge, however she can- 
not have full knowledge. We thus observe a version of 
information-gain vs. disturbance trade-off, where it is 
impossible to gain full knowledge about the system with- 
out disturbing its correlations with another system. Be- 
low we will complete the picture by considering presence 
of disturbance. 

Noisy case .- Suppose that Alice and Bob while mea- 
suring correlations obtain average bit error rate q (i.e. q 
is the ratio of anti-correlated events to all events). First 
of all, let us note that the noisy box can still satisfy per- 
fectly KS conditions. This is because Alice and Bob can 
force it by measuring only two observables out of three 
(that forms say a row), and fabricating the outcome of 
the third one, rather than measuring it. Therefore, the 
noise will influence correlations between Alice and Bob. 
We shall assume that on the test samples, for any ob- 
servable from the Peres- Mermin array Alice and Bob ob- 
tained correlations with probability 1 — e, i.e. e measures 
the error level. Clearly, the larger the error, the looser 
are the constraints for probabilities of the Bob's first row. 
One can find (see Appendix) that the constraints © be- 
come now 



< a; - 4.5e 



(12) 



with X ~ 0.9091. From this, one can obtain the following 
bound on H{E\B): 

i/(B|i;) > sup(l - ■^)/i(.T + 4.5(5). (13) 

<5>0 

The lack of correlations influences also H{B\A), which in 
turn can be bounded as follows 



H{B\A)<h{^-e)+^-e\ogi. 



(14) 



Inserting it to the Csiszar-Korner formula (fTT|) . and 
putting 6 = 1.8 we obtain that for e < 0.68% secure key 
can be obtained. This is smaller than typical thresholds 
obtained from CHSH, which are of order of 2%. However 
our estimates have not all been tight, and there is still 
some room for optimization. 

Quantum mechanical implementation and the 
security level.- So far we have considered an abstract 
box. To make use of our results, we need to know, that 
the box can be realized in labs, i.e. that the box can be 
simulated quantum mechanically. Indeed, it is the case: 
the box is obtained by Alice and Bob measuring Peres- 
Mermin observables (see Fig. [1]) on two pairs of qubits 
in maximally entangled state (which were recently used 
to derive non-locality from contextuality [111, see also 
(28j). Let us mention here, that if we had a tripartite 
PM box, with perfect tripartite correlations, then one can 
show that one secure bit can be obtained by the three 



parties. And moreover, the security would come solely 
from no-signaling assumption. However, though there 
exists such a no-signaling box, unfortunately, cannot be 
implemented by quantum mechanical devices, i.e. it does 
not exist in Nature (this is actually implied by our present 
result) . 

Our reasoning proves that the obtained key is secure 
under the so called individual attack: Eve couple to each 
box independently, and measures before Alice and Bob 
perform error correction and privacy amplification pro- 
cedures. We believe that one can apply the ideas of 
01 S B [m to obtain stronger security. 

Conclusions .- We have provided the first operational 
protocol that directly implements the fundamental fea- 
ture of Natme: the information gain vs. disturbance 
trade-off rather than used so far non-locality. It imple- 
ments the original idea of BB84, that one who gains in- 
formation, will at the same time introduce disturbance, 
but does it on operational level, i.e. the security is here 
verified by the very statistics of the measurement, allow- 
ing for the devices to be built by the very Eavesdropper. 
The trade-off appears, because Alice and Bob measure 
incompatible quantities, which we imposed by applying 
Kochen-Specker paradox. 

Let us compare our approach with the previous 
device-independent protocols which directly employ non- 
locality. Clearly our bipartite box must be non-local, oth- 
erwise, as argued by Ekert, Eve could have full knowledge 
of all results of measurements. However it is interest- 
ing to find a more direct relation between our approach 
and non- locality approach. To this end, one may em- 
ploy non-locality obtained by Cabello [3^ precisely for 
the distributed PM paradox, and derive from it exis- 
tence of the key to see the connection. Paradoxically, 
we have proved security not by exploiting the fact that 
our system exhibits a strong non-locality, but rather by 
showing, that a part of our total system cannot exhibit 
too strong non-locality. As a by-product we have ob- 
tained a new Bell's inequality, whose maximal violation 
is excluded only within so-called second hierarchy of nec- 
essary conditions for a given distribution be reproducible 
by quantum mechanics according to classification of [s^ . 

Remarkably, the exhibited bipartite box allows Eve's 
to gain some information without causing any distur- 
bance. Thus the trade-off is not so strict as the one 
offered by full quantum formalism. However this infor- 
mation gain is smaller than the amount of correlations 
shared by Alice and Bob (2 bits), which allows for creat- 
ing secure key. 

The fact, that from KS paradox one can obtain secu- 
rity, appears to be not occasional from yet another point 
of view. Namely, some sets of KS like observables (yield- 
ing paradox), lead also to some error correcting codes 
4C I , and the latter are again connected with security 



Finally, our work suggests some further developments. 
First of all, in our paper we have obtained device- 
independent security, which assumes validity of quantum 
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mechanics. There is an open question, whether one can 
have a stronger version of device-independent security - 
the one based solely on no-signaling, and not assuming 
any knowledge about quantum mechanics. To this end, 
one should analyse other Kochen-Specker paradoxes and 
apply them to obtain security. In other words, we believe 
that analysis of restricted class of non-local scenarios - the 
ones being distributed versions of local Kochen-Specker 
paradoxes may lead to some interesting general results 
on device-independent security. 
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Appendix A: Bound for probabilities of the first 
row: ideal PM box 

Here we shall prove the bound ([5]) in more detail. Sup- 
pose that upper row of Bob with certainty gives result 
-|- -|- -|-. This means, that upper observables from each 
Alice's row, have deterministic value 4-1. In other words, 
with certainty we have A" = +1, = +1, A3 = +1 (for 
notation, see Fig. Thus, due to KS conditions, the 
two other observables in Alice's rows are correlated in 
two first rows, and anti-correlated in the last row: 

Ai = A[ 

A, = ~A',. (Al) 

On the other hand, from AB-correlations we have that 
all those observables are perfectly correlated with cor- 
responding Bob's observables (i.e. Ai = Bi, A[ = B[ 
and A'l = B'l for all i). Since each pair of observables 
in the formula (jAl[) is jointly measurable, we obtain the 
following correlations in the total system: 

Ai=B[ 

A2 = i?2, A2 = i?2 

A3 = B3, A3 = -B'^. (A2) 

There are three observables of Alice and six observables 
of Bob involved. We now formulate Bell quantity 

7(A : B) = (AiBi) + {A2B2) + {A3B3) 

+ {A,B[) + {A2B',)-{AsB',). (A3) 

The correlations ([Mjl mean that "f{A : B) = 6. We 
shall now suppose that 7 is not necessarily 6, and derive 



constraints for Bob's probability distribution for the first 
row in terms of 7. 

To this end, we shall use another closely related Bell 
quantity: 

P{A : B) = p{Ai = Bi) + p{A2 = B2) + p{A^ = B3) 
+p(Ai = B[)+p{A2 = B'^)+p{A^ ^ B'^). (A4) 

Let us note that 

/3(A:B) = i(7(A:i?) + 6). (A5) 

Note that from AB-correlations we have that 

p(Ai = Si) = p{A2 = B2) = piAs = B3) = 1. (A6) 

We shall now relate the other three probabilities with 
Bob's distribution of the first row. Let us denote Bob's 
distribution in the first row by qi,i = 0, 1, 2, 3 with 

qo = Pr(+1,+1,+1) 
91 =Pr(+l,-l,-l) 
q2 = Pr{-1,+1,-1) 
93 = Pr(-1,-1,+1). (A7) 

We have go + 91 + 92 + 93 ~ 1- Consider now the marginal 
distributions of each observable from the row, and let pi 
be a probability that we obtain +1 for i-th observable in 
the row, i.e. pi = Pr{B'/ = +1). More generally we shall 
denote Pi{k) = Pr{B^ = k) for k = ±1. Here is relation 
between q^ and pi 

Pi= qa + qi 
P2 = qo + 92 

P3 = qo + q3- (A8) 

Note that p^'s do not sum up to 1, as they represent three 
separate probability distributions — pi). The above 
relation gives 



90 = 




+ Pi 


+ P2 


+ P3) 


qi = 


la. 


Pi - 


P2 - 


Ps) 






Pi + 


P2 - 


Pa) 


q-s 




Pi - 


P2 + 


Pa)- 



At first sight, it might seem that the above relation allow 
for negative 9i's, but we have to recall, that not allp^'s are 
allowed due to KS conditions. We shall now first derive 
the constrains for p^'s and then translate them into the 
constraints for g^'s. 

Now, note first that due to AB-correlations, each Al- 
ice's observable in the first row have the same distribu- 
tion as Bob's corresponding observable in his first row. 
Thus Pi 's are equal also to marginal distributions of ob- 
servables from Alice's first row. Consider now a chosen 
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Alice's observable from the first row. Due to KS condi- 
tions we have 

Pr{Ai = A\) = Pr{A'l = +1) = p^. (AlO) 

Similarly, we have 

Pr{A2 = A'^) = P2 

Pr(^3 = a:,) =p3. (All) 

We consider now three events: X = {Ai ~ A[}, Y = 
{A[ = B[} and Z = {Ai = B[}. Clearly X (lY d Z, 
and using an elementary inequality valid for any events 

Pr{XnY)>Pr{X) + Pr{Y)-l (A12) 

we obtain that Pr{Z) > Pr(X) + Pr{Y) — 1 which means 
that 

Pr{Ai= B[)>pu (A13) 

since Pr{Y) = 1 (from perfect AB-correlations). Simi- 
larly we obtain 

Pr{A2 = B'^) > p2 

PriA^^ B':,)>P3. (AM) 

Thus we obtain the following relation between /3 and pi 's 
for perfect correlations: 

13 >Pi+P2+P3 + 5. (A15) 

Thus we have proved the following lemma: 

Lemma 1 Let (3 denote the Bell quantity \AA\ . and let 
Pi he probabilities of obtaining +1 while measuring i-th 
observable of the first row of Bob. Then 

</3-3. (A16) 

The lemma was obtained by analysing a situation when 
Bob receives output -I- -I- -I- in the first row with some 
probability, not necessarily equal to 1. In a similar way 

we can treat three other events: -) . — \ — and h. 

They lead again to prefect correlations/anticorrelations 

for the observables (|A2[) . For H , A2 and B'2, are 

anticorrelated, for — I — , Ai and B[ are anticorrelated 

and finally for h Ai are anticorrelated with B'^ for i = 

1, 2, 3. This leads, in turn, to three other Bell quantities 
/3i, P2 and jS^ which are all equivalent to the quantity 
/3, via redefining some observables (multiplying by — 1). 
Thus maximal quantum mechanical values of all those 
quantities are equal. Let us call this maximal value /?o 

Analysing the mentioned three cases in the same way 
as above, we obtain 

Pi + (l-P2) + (l-P3)</3o-3 

(1-Pl)+P2 + (1-P3) <^0-3 

{l-pi) + {l-P2)+P3<f3o-S- (A17) 



Using (|A9p . these inequalities and the fourth one ob- 
tained in the lemma above, we get 

9. <^(/3o-4), (A18) 

and translating it into 70 (which is a maximal quantum 
value of quantity 7) we obtain the following lemma: 

Lemma 2 The prefect AB-correlations and perfect KS 
conditions imply that 

q^<\{lo-2), (A19) 

where {qi} is the joint probability distribution of the out- 
comes of Bob 's first row. 



Appendix B: Bound for probabilities of the first 
row: noisy PM box 

In this section we shall prove inequalities ([T^ and , 
as well as provide the estimate for the noise threshold. 
We consider a noisy PM box. The KS conditions are still 
perfect, because in every row (column) one of observables 
is not measured, but is produced to fit the conditions. 
Thus only the AB-correlations are not perfect. 

The error estimation in the protocol can be divided 
into two parts. First, Alice measures chosen at random 
columns and Bob - chosen at random rows. There are 9 
different combinations of rows and columns, and in each 
combination there is one common observable. We shall 
assume that for each combination, there is the same prob- 
ability of error e (i.e. of obtaining different outcomes). 
This stage determines bounds for probabilities of Bob's 
row (hence also puts bounds on H{B\E)). 

In the second part of the error estimation, Alice mea- 
sures first row, and Bob measures first row too. Let the 
probability that their outcomes disagree be e. In order 
to have a single noise parameter, we need to relate e with 
error probability for single nodes of the row, which for 
simplicity we also assume to be e. From KS condition we 
get 



This part of error estimation will put bound on H{B\A)^ 
which we shall do in next section, where we derive bounds 
for both conditional entropies. 

In this section we shall deal with the first part. Let 
us name the observables of the first Alice's row A", and 
first Bob's row i?". 

We want to find constraints for probabilities of Bob's 
first row P{B" ) W e shall start with P(Bf = +1) = p^, 
By inequality (jA12p . and using the fact that B'l and A'l 
are correlated with probability 1 — e we have 

P{.A'l = +1) > p. + (1 - e) - 1 = p. - e (B2) 
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By KS condition 



PiA, ^ A',) 
P{A, + A'l) 



P^K 



-1) 
-1) 



each node the probabihty of error is the same, equal to 
e, hence by ((BT|) 



(B3) 



li{B\A)<h\-e 



-elogS. 



(C2) 



Again, since B[ and A!^ are correlated with probability 
1 — e we have 



P{A2 = i?^) > P{A2 = ^'2) + P{A'^ = 50 
P(A3 ^ B'^ > P{A, = A!,) + P{J^^ = 50 



On the other had we have 



so that 



P[A, = B,)>l-e 



/? > Pi + P2 + P3 + 3 - 9e 



Pl+P2+P3< P' 



1 > Pi - 2e 
1 > P2 - 2e 
1 > P3 - 2e 
(B4) 



(B5) 



Let us now estimate conditional entropy H{B\E). 
First, consider a box which satisfies KS conditions and 
have probability of anticorrelations e. The entropy of 
Bob's first row is bounded from below by 



HiB;e)>h{x) = fie) 



(C3) 



(B6) 



(B7) 



i.e. we have obtained constraints of the same form as in 
the noiseless case (jA15[) . with /3 replaced with (3' = /3+9e. 
Similarly we can proceed for three other cases in Bob's 

first row (H , \ , h) to obtain the following 

bound for joint probabilities qi of outcomes of the first 
Bob's row: 



and finally: 



< i(/3o + 9e-4), 



1 , 9e 
<^(7o-2) + y. 



Due to our bound 70 < 5.6364 we get 
q, < 0.9091 + 4.5e 

For aU i = 0, 1,2,3. 



(B8) 



(B9) 



(BIO) 



Appendix C: Bound on conditional entropies 

Let us start with bound for H{B\A). This entropy is 
evaluated on joint probability distribution coming from 
first row on Alice side and first row on Bob's side. Let 
e be probability of error (i.e. that the outcomes differ). 
Then we use Fano's inequality: 

H{B\A) < h{l) + l\og{\B\ - 1) = h{l) + ?log3 (CI) 

A more natural error parameter for the whole protocol 
is probability of error in single node. We assume that in 



where x = min(0.9091 + 4.5e, 1). Note that / is non- 
negative, decreasing function of e. Let Eve make a mea- 
surement on her system. This splits Alice's and Bob's 
box into ensemble: Rab = Se'^e-^AS- For notational 
convenience, let us use indices i in place of e. Then 



H{B\E)=iniY,nH{B), 



(C4) 



where H{B)i is Bob's first row entropy of box R\g 
and infinium is taken over all decompositions Rab = 
Till "'"iPjiB "F^^ boxes R'^ satisfy 



E 



e. 



Thus H{B\E) is bounded as follows 

H{B\E) inf Vr,/(Q), 



(C5) 



(C6) 



where X^jJ^iCi = e, X^i^i ~ 1- '^'^ estimate the above 
quantity note that by Markov inequality we have 



i:ei<S 



This gives 



H(B\E) > sup(l - -)/i(0.9091 -f- 4.55). 

5 



(C7) 



(C8) 



Overall, we obtain the following bound on key rate: 

K > H{B\E) - H{B\A) > sup(l - |)/i(0.9091 + 4.5(5) 

s 



M^.)+^6log3 



(C9) 



Putting (5 = 1.8e we obtain the following noise threshold, 
below which sharing key is possible. 



eo < 0.68%. 



(CIO) 



This is smaller than typical thresholds obtained from 
CHSH, which are of order of 2%. However we have not 
performed optimization in (jC6|) , which would give a bet- 
ter rate. 
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Appendix D: Bound for a Bell inequality 

Here we outline the way we obtained quantum- 
mechanical bound for the Bell inequality We shall 
follow Refs. [4^ and js^ (their methods originate from 
Tsirelson approach [l^l)- Namely, a matrix f with the 
following matrix elements = {ilrlxjXjlip) is always 
positive semidefinite, for any state tp and any collecion of 
operators X;. Hence a matrix F = i(r-|-r*) where * de- 
notes complex conjugation is a real positive semidefinite 
matrix. 

For our purpose the role of Xj's will be played by the 
following ten operators 

/, A,,A2, A3, B,,B2,B3, B^B'^, B'^. (Dl) 

The resulting matrix T has thus I's on diagonal, and 
moreover satisfies a couple of constraints. Namely, The 



equalities 

(/Bi) = (B2B3), {IB2) = (B1B3), (/B3) = 

(D2) 

imply 

ri,5 = Tej, ri,6 ~ Fs^y, Fij = Fg^s. (D3) 
Similar equalities for B'^s imply further three constraints 

ri,8 = Fg^lO, Fi^9=F8aO, Ti^io = Fg^g. (D4) 

Here is the full matrix F, where by x we denote un- 
determined elements, which are constrained only by its 
positivity. The elements hi and h'^ are also undetermined, 
we do not write explicitly elements below the diagonal, 
as the matrix is Herniitian. 





I (Ai) 


(^2) 


(^3) 


(Bi) 


{B2) 


{B3) 


{B[) 




(B's) 


/ 


1 X 


X 


X 


bi 




63 


b[ 


b'2 


b'3 


{Ai) 


1 


X 


X 


(AiBi) 


X 


X 


{AiB[) 


X 


X 


{A2) 




1 


X 


X 


{A2B2) 


X 


X 


{A2B!,) 


X 


{A,) 






1 


X 


X 


{A3B3) 


X 


X 


{A3B'3 


{Bi) 








1 




b2 


X 


X 


X 


{B2) 










1 


bi 


X 


X 


X 


(B3) 












1 


X 


X 


X 


{B[) 














1 


b'3 


b'2 


{B'2) 
















1 


b'l 


{B!s) 
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In terms of the matrix F, the Bell's inequality reads as 
follows: 

7 = iTr(FH^), (D6) 

where 
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(D7) 



and (|D4p and F > 0. This can be done by a standard 
SDP packages. We have used SDPT3 package for Mat- 
lab. However, it turns out that the upper bound here is 
trivial, i.e. it is equal to 6. This can be directly verified: 
namely, there exists a matrix which gives 6, is positive 
and satisfies the constratins: 
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(D8) 



Now, we obtain upper bound for value 7, by maximizing 
the right-hand-side of (|D6p under the constraints (jD3[) 



Thus the application of the so called first SDP hierar- 
chy according to terminology of (soj does not result in a 
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nontrivial upper bound. We have therefore checked the 
second hierarchy, where X^'s are all possible products of 
pairs ofthe set I, Ai, A2, A3, Bi, B2, B3, B[, B'2, B'^. This 
leads to another SDP program, which produces a non- 



trivial upper bound for the Bell's inequality, i.e. 5.6364. 
The set of constraints of type (jD3[) we have generated on 
Mathematica, while the SDP program was run by use of 
SDPT3 free tool for Matlab. 



